Graduated Physical Actuation Modes

Mechanism

The disclosed mechanism interposes a deterministic mode-selection stage between the upstream decision authority that proposes a physical action and the downstream actuator that would execute it. The mode-selection stage consumes a typed action proposal — including its requested authority level, declared capability envelope, temporal scope, and proposing identity — together with a composite admissibility computation drawn from the operating system's governance state. The output is not a permit-or-suppress flag. It is a typed mode selection accompanied by a structured rationale and a lineage record.

The composite admissibility computation aggregates four orthogonal dimensions: the credentialed authority of the proposer (whether the proposing identity holds an admitted credential within the policy's required scope), the evidential weighting of the supporting observations (how strongly the observations underwriting the proposal are credentialed, and how recent and coherent they are), the capability-envelope conformance (whether the requested authority falls within the bounds the governance policy admits for the current operating context), and the temporal disposition (whether the action's temporal scope aligns with the operating window the policy admits). Each dimension produces a typed sub-result; the composite admissibility evaluator combines them deterministically against the policy in force.

Mode selection is the projection of the composite admissibility result onto the policy's declared mode space. The policy enumerates the modes admitted in the current operating context and specifies, for each mode, the admissibility region in the four-dimensional sub-result space that selects it. The mapping is a partition of the admissibility space, so every input maps to exactly one mode. The partition is signed by the credentialing authority and is immutable for the duration of its admission.

Each mode is structurally distinct in the contract it imposes on downstream execution. Full mode commits the proposed action at the requested authority. Reduced mode commits at a fraction of the requested authority within a declared envelope. Minimal mode commits the smallest authority that still produces an effect. Hold mode does not commit but retains the proposal in a deferral queue pending additional evidence. Simulated mode runs the action computation against an internal state shadow without affecting any external actuator. Advisory mode surfaces the proposal to a human operator without commanding the actuator. Consultative mode requires explicit human ratification before commit. Shadowed mode commits the action in a parallel verification path while the primary actuator remains under human or fallback control. Partial mode commits a declared fraction of the requested authority. Constrained mode commits within a reduced operational envelope. Stage-gated mode commits in successive bounded stages with intermediate evaluation. Deferred mode holds the proposal for evidence-driven re-evaluation. Emergency-accelerated mode commits at elevated priority under a credentialed preemption budget. Emergency-overridden mode commits despite ordinary admissibility failure under a credentialed override carrying its own audit obligation.

Every mode selection is lineage-recorded. The lineage record captures the action proposal, the composite admissibility sub-results, the policy version in force, the selected mode, and the credentialing authority of record for each contributing element. The lineage record is itself a credentialed observation signed by the operating system's lineage authority and is replayable: given the same inputs and the same policy version, a fresh evaluation produces the same mode. Audit reconstruction is therefore not a forensic reconstruction of probabilistic decisions but a deterministic replay of a recorded computation.

Transitions between modes are themselves audit-bearing events. A transition from full to reduced under degraded admissibility, a transition from advisory to consultative under elevated risk posture, a transition from any mode to hold under credentialed authority — each transition is a typed event with its own lineage record. Sequences of transitions form an inspectable history that audit can traverse without ambiguity.

Operating Parameters

The mode-selection stage operates against a policy that declares (i) the admitted mode set for the current operating context, (ii) the partition of the admissibility space onto that mode set, (iii) the per-mode commit-authority bounds expressed in the actuator's native units, (iv) the per-mode verification obligations, and (v) the per-mode reversibility envelope. Each declaration is expressed in typed units mechanically checkable against the actuator's declared capability schema.

Composite admissibility sub-results are bounded scalars in declared units. Credentialed-authority strength is expressed as a discrete level drawn from the credentialing schema. Evidential weighting is expressed as a confidence in declared units, with explicit handling of unobservable and stale observations. Capability-envelope conformance is expressed as a margin in the actuator's native units. Temporal disposition is expressed as a window-conformance metric in declared time units. The partition mapping is a piecewise-constant function over the bounded sub-result space, and the policy declares the mapping explicitly rather than implicitly through threshold thresholds.

Reversibility envelopes are critical operating parameters. Full mode admits actions whose effects exceed a declared reversibility budget; reduced and constrained modes admit only actions within a tighter envelope; hold and deferred modes admit no committed effect at all; shadowed mode admits effects only within the parallel verification path. The reversibility envelope is signed by the credentialing authority and is checked mechanically against the action proposal before mode selection runs.

Verification obligations specify what the system must observe after commit to confirm the action took the expected effect. Full mode typically declares observation cadences and acceptance bands. Stage-gated mode declares per-stage observation requirements that must succeed before the next stage commits. Shadowed mode declares parallel verification through an independent observation path. Each obligation is recorded as part of the mode record and is checked at the obligation's declared cadence.

Override and preemption budgets are bounded operating parameters. Emergency-overridden mode is admitted only under a credentialed override carrying a bounded budget — a declared count of overrides per operating window — and each consumed override is recorded against the budget. Emergency-accelerated mode is admitted only when the proposing authority holds a credential carrying a declared preemption budget. Budgets are non-replenishable within their declared window without an explicit credentialed top-up.

Alternative Embodiments

The mode-selection stage may be embodied as an in-process library inside the actuator's control loop, as an out-of-process arbiter consuming proposals through a typed channel, or as a distributed evaluator with each contributing dimension evaluated locally and the composite assembled at a credentialed coordinator. The mechanism is independent of the deployment topology so long as the evaluation is deterministic, the mode set is governance-credentialed, and the lineage is admissibly recorded.

In an embodiment specialized for automotive autonomy, the mode set maps onto operational design domain transitions: full mode corresponds to autonomous operation within the declared ODD, reduced mode to operation within a contracted ODD, constrained mode to operation under elevated supervision, advisory mode to driver-takeover prompts, and hold mode to minimum-risk-condition execution. In an embodiment specialized for surgical robotics, the mode set maps onto the surgical workflow: full mode for autonomous suturing within bounded tissue regions, consultative mode for confirmation-required actions, shadowed mode for verification of contemplated commands during teleoperation, and emergency-overridden mode for surgeon-initiated overrides bound by the platform's audit obligation.

In a defense embodiment, the mode set composes with rules-of-engagement governance: full mode for actions within the credentialed ROE envelope, constrained mode for actions within a reduced engagement envelope, stage-gated mode for actions requiring intermediate authorization, advisory mode for actions requiring operator approval, and hold mode for actions deferred pending additional intelligence. Each mode carries a credential trail back to the issuing ROE authority.

The mode set is extensible by credentialed governance update. A new mode may be added by an authority within its credentialed scope; the addition is propagated through the governed mesh and is admitted by operating systems that credential the issuing authority. Existing modes are immutable within their declared version, so additions never silently change the semantics of admitted modes; they only extend the admissible mode set.

In an embodiment supporting cross-jurisdictional fleet operation, the policy in force is selected by jurisdictional admissibility: a fleet entering a new jurisdiction admits the local authority's policy as part of its operating governance, and the partition mapping is updated atomically at the jurisdictional boundary. The same actuator hardware therefore operates under different admissible mode sets in different jurisdictions without per-jurisdiction re-engineering.

Composition With Adjacent Primitives

The mode-selection stage composes with existing functional-safety logic without subsuming it. Functional-safety floors specified by ISO 26262, IEC 61508, IEC 61511, and analogous standards remain unconditional bounds: any action that violates the floor is suppressed regardless of admissibility. The mode-selection stage operates above the floor, selecting among admissible modes for actions that pass the safety bound. The composition is deliberately stratified so that conformance to existing safety standards is preserved without modification.

The mechanism composes with the broader Cognition Patent's admissibility, lineage, and governance primitives. The composite admissibility computation consumes the same typed observations and credentialed admissibility judgements that other operating-system stages consume. The lineage record produced by mode selection is admissible into other operating systems that credential the same lineage authority, supporting cross-system audit reconstruction.

The mode set composes with confidence-graduated attribution. A high-confidence attribution from a credentialed signature may push admissibility toward full or stage-gated mode; a low-confidence attribution may push admissibility toward advisory or hold mode. The composition is deterministic and lineage-recorded, so the relationship between attribution confidence and selected mode is reproducible from the recorded inputs alone.

Prior-Art Distinction

Binary permit-or-suppress architectures conflate categorically different operational outcomes — running, restricted, supervised, deferred, simulated — into a single boolean and therefore cannot express the structured contracts that real autonomous-physical systems require. The disclosed mechanism is structurally distinct in producing typed modes, each with declared commit authority, verification obligation, and reversibility envelope.

Continuous risk-modulation architectures treat actuator authority as a scalar to be scaled by a risk score. The disclosed mechanism is structurally distinct in that the modes are categorical rather than scalar projections: shadowed mode is not a smaller version of full mode; consultative mode is not a smaller version of advisory mode. Categorical distinctions are necessary because the verification obligations and operator contracts differ structurally rather than merely in magnitude.

Existing functional-safety standards specify safe-state reachability and floor conditions but do not specify a credentialed, lineage-bearing mode-selection mechanism above the floor. The disclosed mechanism is positioned above the existing standards rather than as a replacement, and is structurally distinct in producing audit-reconstructible mode selections from credentialed inputs.

Operational-design-domain frameworks describe the bounds within which an autonomous system is designed to operate but do not specify the mechanism by which an actuator's effective mode is selected within those bounds. The disclosed mechanism is structurally distinct in providing the deterministic, credentialed selection mechanism that ODD frameworks rely on but do not themselves provide.

Disclosure Scope

The disclosure scope encompasses any system that interposes a deterministic mode-selection stage between an action proposal and an actuator commit, where the mode is selected from a governance-credentialed mode set by composite admissibility, where mode selection is lineage-recorded and replayable, and where transitions between modes are themselves audit-bearing events. The disclosure is independent of the specific actuator class, the specific application domain, and the specific deployment topology, so long as the structural elements — typed mode set, credentialed policy, deterministic selection, lineage-bearing record, audit-bearing transitions — are present.

The disclosure also encompasses the governance pathways for mode-set lifecycle: declaration by a credentialing authority, propagation through a governed mesh, admission by an operating system, evaluation against admissible action proposals, atomic update at jurisdictional boundaries, and retrospective audit reconstruction from the recorded lineage. Embodiments that omit any structural element fall outside the disclosed scope; embodiments that vary the actuator class, the application domain, or the deployment topology while preserving the structural elements remain within scope.